WLCG AuthZ Call

Thursday 9 Jun 2022, 15:00 → 16:00 Europe/Zurich

Previous Actions:

Proposed agenda: 

•  
• AOB: 

Zoom meeting:

Link below, in the videoconference section. Please ensure you are signed in to Indico to see the meeting password!

Next Meeting: 

• June 16th

Present: Marcelo S, Tom D, Dave D, Maarten L, John SDS, Petr V, Max F, Mine A, Jim B, Julie M, Jeny T, Roberta M, Francesco G, Brian B, Andrei T, Jeffrey G, Thomas H,

Apologies: Hannah S, Alison P,

Agenda

Hannah is back in the office, but this timeslot currently clashes.
Looking at whether someone from her team can join regularly, or re-organise timeslots.
Better awareness of what's happening.
Looking to set up a meeting at CERN in order to understand service evolution.

Fermilab Token Integration with Websites
- Management told that CERN had already done this, would like some help to test their websites and understanding
- Maarten: unsure that CERN has solved all this, but CMS ops has some
- Mine request for a technical contact - Maarten to look up and will follow up offline
- CERN IT dept reorganisation means there may be some things in the air as things change
- Anyone who else wants to offer help, please email Mine

- can users add extra scopes to WLCG tokens?
- has to do with services wanting to accept tokens from different kinds of providers --> compatibility issues
- can be looked into; related work was done here: https://github.com/scitokens/scitokens-cpp/issues/53

Update on Account Recreation
- Took a while to understand, as log files currently have short lifespans
- When a user is no longer active, they get an expiration grace time and then are removed
- Possible that this is what happened
- Is it acceptable if a user is deleted and then restored with a different subject - how widely may the original subject string be known?
- If the user is onboarded as a new identity, what is the cost of deciding this is wrong later
- Can store account info as long as it's defended under GDPR
- Can subject information be set by hand where necessary? Could be possible if it is not currently
- Check and understand the EOS implementation & mapping
- Need to understand nickname/displayname appearance
- Command line attribute for setting names for ATLAS and LHCb
- CMS uses "user.number" - can consider what is needed in the future

Status of VOMS C++ Library
- Library is supported
- Patch for Nginx
- Good to remove bloated code, but is it worth the effort?
- Is important that still can use the things that are needed
- Default KeyLength set to 1024 - need to check status of release, but in development branch it is 2048.
- Be good to see signs of life - patch made in 2018, but not in any release yet

Discussion for next meeting
- AuthZ mapping

Meeting schedule to be decided through mailing list, bearing in mind next week is TNC (https://tnc22.geant.org/)